forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/net/smc
History
Eric Dumazet 421ab4119e net/smc: fix leak of kernel memory to user space 
[ Upstream commit 457fed775c ]

As nlmsg_put() does not clear the memory that is reserved,
it this the caller responsability to make sure all of this
memory will be written, in order to not reveal prior content.

While we are at it, we can provide the socket cookie even
if clsock is not set.

syzbot reported :

BUG: KMSAN: uninit-value in __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline]
BUG: KMSAN: uninit-value in __fswab32 include/uapi/linux/swab.h:59 [inline]
BUG: KMSAN: uninit-value in __swab32p include/uapi/linux/swab.h:179 [inline]
BUG: KMSAN: uninit-value in __be32_to_cpup include/uapi/linux/byteorder/little_endian.h:82 [inline]
BUG: KMSAN: uninit-value in get_unaligned_be32 include/linux/unaligned/access_ok.h:30 [inline]
BUG: KMSAN: uninit-value in ____bpf_skb_load_helper_32 net/core/filter.c:240 [inline]
BUG: KMSAN: uninit-value in ____bpf_skb_load_helper_32_no_cache net/core/filter.c:255 [inline]
BUG: KMSAN: uninit-value in bpf_skb_load_helper_32_no_cache+0x14a/0x390 net/core/filter.c:252
CPU: 1 PID: 5262 Comm: syz-executor.5 Not tainted 5.5.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x220 lib/dump_stack.c:118
 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
 __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
 __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline]
 __fswab32 include/uapi/linux/swab.h:59 [inline]
 __swab32p include/uapi/linux/swab.h:179 [inline]
 __be32_to_cpup include/uapi/linux/byteorder/little_endian.h:82 [inline]
 get_unaligned_be32 include/linux/unaligned/access_ok.h:30 [inline]
 ____bpf_skb_load_helper_32 net/core/filter.c:240 [inline]
 ____bpf_skb_load_helper_32_no_cache net/core/filter.c:255 [inline]
 bpf_skb_load_helper_32_no_cache+0x14a/0x390 net/core/filter.c:252

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
 kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
 kmsan_kmalloc_large+0x73/0xc0 mm/kmsan/kmsan_hooks.c:128
 kmalloc_large_node_hook mm/slub.c:1406 [inline]
 kmalloc_large_node+0x282/0x2c0 mm/slub.c:3841
 __kmalloc_node_track_caller+0x44b/0x1200 mm/slub.c:4368
 __kmalloc_reserve net/core/skbuff.c:141 [inline]
 __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:209
 alloc_skb include/linux/skbuff.h:1049 [inline]
 netlink_dump+0x44b/0x1ab0 net/netlink/af_netlink.c:2224
 __netlink_dump_start+0xbb2/0xcf0 net/netlink/af_netlink.c:2352
 netlink_dump_start include/linux/netlink.h:233 [inline]
 smc_diag_handler_dump+0x2ba/0x300 net/smc/smc_diag.c:242
 sock_diag_rcv_msg+0x211/0x610 net/core/sock_diag.c:256
 netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477
 sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:275
 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
 netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:639 [inline]
 sock_sendmsg net/socket.c:659 [inline]
 kernel_sendmsg+0x433/0x440 net/socket.c:679
 sock_no_sendpage+0x235/0x300 net/core/sock.c:2740
 kernel_sendpage net/socket.c:3776 [inline]
 sock_sendpage+0x1e1/0x2c0 net/socket.c:937
 pipe_to_sendpage+0x38c/0x4c0 fs/splice.c:458
 splice_from_pipe_feed fs/splice.c:512 [inline]
 __splice_from_pipe+0x539/0xed0 fs/splice.c:636
 splice_from_pipe fs/splice.c:671 [inline]
 generic_splice_sendpage+0x1d5/0x2d0 fs/splice.c:844
 do_splice_from fs/splice.c:863 [inline]
 do_splice fs/splice.c:1170 [inline]
 __do_sys_splice fs/splice.c:1447 [inline]
 __se_sys_splice+0x2380/0x3350 fs/splice.c:1427
 __x64_sys_splice+0x6e/0x90 fs/splice.c:1427
 do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: f16a7dd5cf ("smc: netlink interface for SMC sockets")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ursula Braun <ubraun@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-02-24 08:34:34 +01:00
..
af_smc.c net/smc: do not schedule tx_work in SMC_CLOSED state 2019-08-09 17:52:32 +02:00
Kconfig net/smc: remove Kconfig warning 2017-07-29 11:22:58 -07:00
Makefile net/smc: add base infrastructure for SMC-D and ISM 2018-06-30 20:42:25 +09:00
smc.h net/smc: fix smc_poll in SMC_INIT state 2019-03-19 13:12:41 +01:00
smc_cdc.c net/smc: fix byte_order for rx_curs_confirmed 2019-12-05 09:21:09 +01:00
smc_cdc.h net/smc: fix byte_order for rx_curs_confirmed 2019-12-05 09:21:09 +01:00
smc_clc.c net/smc: fix sizeof to int comparison 2018-09-18 20:11:43 -07:00
smc_clc.h net/smc: provide fallback reason code 2018-07-25 22:25:53 -07:00
smc_close.c net/smc: enable fallback for connection abort in state INIT 2018-09-18 20:11:43 -07:00
smc_close.h net/smc: replace sock_put worker by socket refcounting 2018-01-26 10:41:56 -05:00
smc_core.c net/smc: prevent races between smc_lgr_terminate() and smc_conn_free() 2019-12-05 09:21:08 +01:00
smc_core.h net/smc: improve delete link processing 2018-07-25 22:25:53 -07:00
smc_diag.c net/smc: fix leak of kernel memory to user space 2020-02-24 08:34:34 +01:00
smc_ib.c RDMA/smc: Replace ib_query_gid with rdma_get_gid_attr 2018-08-17 16:45:51 -06:00
smc_ib.h net/smc: use correct vlan gid of RoCE device 2018-07-25 22:25:53 -07:00
smc_ism.c net/smc: send response to test link signal 2018-08-10 14:38:43 -07:00
smc_ism.h net/smc: add base infrastructure for SMC-D and ISM 2018-06-30 20:42:25 +09:00
smc_llc.c net/smc: improve delete link processing 2018-07-25 22:25:53 -07:00
smc_llc.h net/smc: improve delete link processing 2018-07-25 22:25:53 -07:00
smc_pnet.c smc: generic netlink family should be __ro_after_init 2018-09-20 07:49:55 -07:00
smc_pnet.h net/smc: use correct vlan gid of RoCE device 2018-07-25 22:25:53 -07:00
smc_rx.c net/smc: receive pending data after RCV_SHUTDOWN 2020-01-27 14:51:18 +01:00
smc_rx.h smc: add support for splice() 2018-05-04 11:45:06 -04:00
smc_tx.c net/smc: do not wait under send_lock 2019-12-17 20:35:33 +01:00
smc_tx.h net/smc: eliminate cursor read and write calls 2018-07-23 10:57:14 -07:00
smc_wr.c net/smc: use after free fix in smc_wr_tx_put_slot() 2019-12-13 08:51:34 +01:00
smc_wr.h net/smc: Simplify ib_post_(send|recv|srq_recv)() calls 2018-07-24 16:06:37 -06:00